Marriott fined £99m for 2018 data breach

ICO says the hotel chain 'failed to undertake due dilligence' in Starwood acquisition

Marriott Hotel sign

The Information Commissioner's Office (ICO) has said it will fine Marriott International over 99 million following a breach of its systems that led to the exposure of approximately 339 million guest records.

The hotel chain revealed in November that an unknown third-party had gained unauthorised access to its Starwood guest reservation system by exploiting an unpatched vulnerability dating back to 2014.

Of the 339 million records accessed, it's thought around 30 million were related to residents of 31 countries in the European Economic Area, including seven million belonging to UK citizens.

Following an investigation by the ICO, it was found that Marriott, which bought the Starwood brand in 2016, "failed to undertake sufficient due diligence" during the acquisition and missed the vulnerability as a result. The hotel chain has now been fined 99,200,396 for infringements of GDPR.

"The GDPR makes it clear that organisations must be accountable for the personal data they hold," said Information Commissioner Elizabeth Denham. "This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

Despite the large fine, the ICO said the Marriott has co-operated with its investigation and has made improvements to its security arrangements since the breach came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.

It's been a busy week for the UK's data watchdog after announced its intent on Monday to fine British Airways for a similar data breach in September 2018. On that occasion, the penalty was a record-breaking 183 million after hackers compromised the personal data of half a million customers.

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now
Advertisement

Most Popular

Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/hardware/354193/buy-it-to-grow-not-slow-your-business
Sponsored

Buy IT to grow, not slow, your business

25 Nov 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/security/antivirus/354328/microsoft-to-scrap-security-essentials-when-windows-7-reaches-end-of-life
antivirus

Microsoft to scrap Security Essentials when Windows 7 reaches end-of-life

13 Dec 2019